feat: Support s3 table (#111)

Author: tuteng

examples/volume-and-s3-table-access/main.tf

@@ -0,0 +1,18 @@
+module "sn_managed_cloud_access_bucket" {
+  source = "../../modules/aws/volume-access"
+
+  external_id = "<your-organization>"
+  role        = "<your-role-name>"
+  buckets = [
+  ]
+
+  account_ids = [
+  ]
+}
+
+module "sn_managed_cloud_access_s3_table" {
+  source     = "../../modules/aws/s3-table-access"
+  role       = module.sn_managed_cloud_access_bucket.role
+  s3_tables  = []
+  depends_on = [module.sn_managed_cloud_access_bucket]
+}

modules/aws/s3-table-access/main.tf

@@ -0,0 +1,51 @@
+data "aws_caller_identity" "current" {}
+locals {
+  s3_tables_resource = distinct([for item in var.s3_tables : endswith(item, "/*") ? "${item}" : "${item}/*"])
+  tag_set            = merge({ Vendor = "StreamNative", Module = "StreamNative S3 Table Access", SNVersion = var.sn_policy_version }, var.tags)
+}
+
+######
+#-- Create the IAM role inline policy for the the StreamNative Cloud access to s3 table
+######
+resource "aws_iam_role_policy" "s3_access_policy" {
+  name = "${var.role}-s3-table"
+  role = var.role
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "LakeFormationPermissionsForS3ListTableBucket",
+        "Effect" : "Allow",
+        "Action" : [
+          "s3tables:ListTableBuckets"
+        ],
+        "Resource" : [
+          "*"
+        ]
+      },
+      {
+        "Sid" : "LakeFormationDataAccessPermissionsForS3TableBucket",
+        "Effect" : "Allow",
+        "Action" : [
+          "s3tables:CreateTableBucket",
+          "s3tables:GetTableBucket",
+          "s3tables:CreateNamespace",
+          "s3tables:GetNamespace",
+          "s3tables:ListNamespaces",
+          "s3tables:DeleteNamespace",
+          "s3tables:DeleteTableBucket",
+          "s3tables:CreateTable",
+          "s3tables:DeleteTable",
+          "s3tables:GetTable",
+          "s3tables:ListTables",
+          "s3tables:RenameTable",
+          "s3tables:UpdateTableMetadataLocation",
+          "s3tables:GetTableMetadataLocation",
+          "s3tables:GetTableData",
+          "s3tables:PutTableData"
+        ],
+        "Resource" : local.s3_tables_resource
+      }
+    ]
+  })
+}

modules/aws/s3-table-access/variables.tf

@@ -0,0 +1,22 @@
+variable "sn_policy_version" {
+  description = "The value of SNVersion tag"
+  default     = "3.16.1" # {{ x-release-please-version }}
+  type        = string
+}
+
+variable "tags" {
+  default     = {}
+  description = "Extra tags to apply to the resources created by this module."
+  type        = map(string)
+}
+
+variable "s3_tables" {
+  default     = []
+  description = "User s3 tables and path name"
+  type        = list(string)
+}
+
+variable "role" {
+  description = "Your aws iam role for access s3 bucket"
+  type        = string
+}

modules/aws/s3-table-access/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.30"
+    }
+  }
+}

modules/aws/volume-access/main.tf

@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "streamnative_management_access" {
 #-- Create the IAM role for the the StreamNative Cloud data plane access to s3 bucket
 ######
 resource "aws_iam_role_policy" "access_bucket_role" {
-  name = var.role
+  name = "${var.role}-s3-bucket"
   role = aws_iam_role.access_bucket_role.id
   policy = jsonencode({
     "Version" : "2012-10-17",
@@ -76,4 +76,9 @@ resource "aws_iam_role" "access_bucket_role" {
   path                 = "/StreamNative/"
   tags                 = local.tag_set
   max_session_duration = 43200
+}
+
+output "role" {
+  value       = var.role
+  description = "role name"
 }